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Abstract — The problem of securing a network coding commu- 
nication system against an eavesdropper adversary is considered. 
Tlie network implements linear network coding to deliver n 
packets from source to each receiver, and the adversary can eaves- 
drop on fi arbitrarily chosen links. The objective is to provide 
reliable communication to all receivers, while guaranteeing that 
the source information remains information-theoretically secure 
from the adversary. A coding scheme is proposed that can achieve 
the maximum possible rate of n — /i packets. The scheme, which 
is based on rank-metric codes, has the distinctive property of 
being universal: it can be applied on top of any communication 
network without requiring knowledge of or any modifications on 
the underlying network code. The only requirement of the scheme 
is that the packet length be at least n, which is shown to be strictly 
necessary for universal communication at the maximum rate. A 
further scenario is considered where the adversary is allowed not 
only to eavesdrop but also to inject up to t erroneous packets into 
the network, and the network may suffer from a rank deficiency 
of at most p. In this case, the proposed scheme can be extended 
to achieve the rate of n — p — 2t — ^ packets. This rate is shown to 
be optimal under the assumption of zero-error communication. 



I. Introduction 

The paradigm of network coding [H^-fSl has provided a rich 
source of new problems that generalize traditional problems 
in communications. One such problem, introduced in |4| by 
Cai and Yeung, is that of securing a multicast network against 
an eavesdropper adversary. 

Formally, consider a multicast network with unit capacity 
edges implementing linear network coding over a finite field 
Fq. It is assumed that each link in the network carries a packet 
consisting of m symbols in Fg and that the network is capable 
of reliably transporting n packets from the source to each 
destination. Now, suppose there is an eavesdropper that can 
listen to transmissions on /i arbitrarily chosen link|3 of the 
network. The secure network coding problem is to design an 
outer code (and possibly also the underlying network code) 
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such that a message can be communicated to each receiver 
without leaking any information to the eavesdropper (i.e., 
security in the information- theoretic sense). 

The work of Cai and Yeung shows that the maximum 
achievable rate (i.e., the secrecy capacity) for this problem 
is given by ti — packets, achievable if the field size q is 
sufficiently large. They presented a construction of an outer 
code that achieves this capacity provided that q > ('^'). Their 
construction takes 0{q) steps and requires that the outer code 
meet certain security conditions imposed by the underlying 
network code. Later, Feldman et al. |5| showed that, by slightly 
reducing the rate, it is possible to efficiently construct an outer 
code that is secure with high probability using a much smaller 
field size. On the other hand, they also showed that, under the 
assumption of a scalar linear outer code, there are instances of 
the problem where a very large field size is strictly necessary 
to achieve capacity. 

More recently, Rouayheb and Soljanin ||6| showed that 
the secure network coding problem can be regarded as a 
network generalization of the Ozarow-Wyner wiretap channel 
of type II Q, H]. Their observation provides an important 
connection with a classical problem in information theory and 
yields a much more transparent framework for dealing with 
network coding security. In particular, they show that the same 
technique used to achieve capacity of the wiretap channel II — 
a coset coding scheme based on a linear MDS code — can 
also provide security for a wiretap network. Unfortunately, in 
their approach, the network code has to be modified to satisfy 
certain constraints imposed by the outer code. 

Note that, in all the previous works, either the network code 
has to be modified to provide security |6|, or the outer code has 
to be designed based on the specific network code used iB), |j5|- 
In all cases, the network code must be known beforehand, and 
the field size required is significantly larger than the minimum 
required for conventional multicasting. 

The present paper is motivated by Rouayheb and Soljanin's 
formulation of a wiretap network and builds on their re- 
sults. Our first main contribution is a coset coding scheme 
that neither imposes any constraints on, nor requires any 
knowledge of, the underlying network code. In other words, 
for any linear network code that is feasible for multicast, 
secure communication at the maximum possible rate can be 
achieved with a fixed outer code. In particular, the field size 
can be chosen as the minimum required for multicasting. 
In this paper, such network-code-independent schemes are 
called universal. An important consequence of our result is 
that, if universal schemes are assumed, then the problem of 
information transport (i.e., designing a feasible network code) 
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and the problem of security against an eavesdropper can be 
completely separated from each other In particular, universal 
schemes can be seamlessly integrated with random network 
coding. 

The essence of our approach is to use a vector linear outer 
code. More precisely, we regard packets as elements of an 
extension field F^m, and use an outer code that is linear over 
Fgm. Taking advantage of this extension field, we can then 
replace the linear MDS code in Ozarow-Wyner coset coding 
scheme by a linear maximum-rank-distance (MRD) code, 
which is essentially a linear code over F^m that is optimal 
for the rank metric. Codes in the rank metric were studied 
by a number of authors llQl- lfTTl and have been proposed for 
error control in random network coding fT2l, fT3|. Here, we 
show that, since the channel to the eavesdropper is a linear 
transformation channel (rather than an erasure channel), rank- 
metric codes are naturally suitable to the problem (as opposed 
to classical codes designed for the Hamming metric). 

Another main contribution of this paper is the design of uni- 
versal schemes that can provide both security and protection 
against errors. More precisely, we assume that the adversary 
is able not only to eavesdrop on /i arbitrarily chosen links, but 
also to inject t erroneous packets anywhere in the network. We 
also assume that the network may suffer from a rank deficiency 
of at most p packets. Previous work on this topic includes 
lH?"! and fTsl, which propose secure-error-correcting schemes 
achieving a rate n — p — 2t ~ fi. However, these schemes are 
not universal and suffer from the same issues as the Cai-Yeung 
scheme discussed above. 

Note that the naive approach to this problem would be 
simply to concatenate a secrecy encoder with an error control 
encoder. However, the security of such a scheme is not 
guaranteed because the error control encoder can potentially 
"undo" part of the secrecy encoding. On the other hand, 
if secrecy encoding is applied after error control encoding, 
then, due to the same reason, the concatenated scheme is not 
guaranteed to provide error control. 

Our approach to this problem is to design a single scheme 
that simultaneously provides security and error control, by 
leveraging the corresponding properties of rank-metric codes. 
Our proposed scheme is universal and achieves the rate of 
n — p — 2t — p, packets. We show that this rate is indeed 
optimal, under the assumption of zero-error communicatiorH 
This result (whose proof allows arbitrary packet lengths) 
generalizes a similar bound in 1 15| that assumed packet length 
m — 1 (i.e., a scalar linear outer code). 

All the universal schemes proposed in this paper have a 
single limitation: the packet length must satisfy m > n. While 
this requirement is usually easily satisfied in the practice of 
random network coding (see, e.g., |17|), we show that it is 
also strictly necessary for universal communication. In other 
words, universal schemes that provide security and/or error 
control at the maximum rate do not exist if m < n. Thus, our 
proposed schemes are optimal also in the sense of requiring 
the smallest packet size among all universal schemes. 

^If this assumption is relaxed to vanishingly small error probability, then 
higher rates may be achieved in some cases. See 1161 . 



The remainder of the paper is organized as follows. Sec- 
tion lU] presents a brief review of rank-metric codes and the 
basic model of linear network coding. In Section HUl we 
formulate the problem of universal secure and reliable com- 
munication over a wiretap network, following the basic setup 
of the wiretap channel. In Section IIVI we start by addressing 
the special case where only error control is required. We prove 
a few auxiliary results that extend the results of Then, 
in Section |V] we address the special case where only security 
is required. The complete scenario of both security and error 
control is addressed in Section [VT] In Section IVIII we discuss 
the practical application of our proposed schemes, and show 
that they can be implemented in a convenient and very efficient 
manner Finally, Section IVIIII presents our conclusions. 

Previous versions of this work appeared in Iil9il - li21l . 



II. Preliminaries 



A. Notation 



Let ^™ denote the set of all n x m matrices over ¥q, and 
set F^ ^ F^'^^ (i.e., the elements of F^ are always seen as 
column vectors). For Af e F^""™ and 5 C {1, . . . , n}, let Ms 
denotes the submatrix of M consisting of the rows indexed 
by S. Let (M) denote the row space of matrix M. 



B. Rank-Metric Codes 

A matrix code is a nonempty set of matrices. The rank 
distance between matrices X, F 6 F^^™ is defined as 

dYi{X,Y) i= rank(r-X). 

As observed in f9l, fTOl, the rank distance is indeed a metric. 
The minimum rank distance of a matrix code C C F^^™, 
denoted (iR(C), is the minimum rank distance among all pairs 
of distinct codewords of C. 

Let ¥qm be a degree m extension of the finite field 
is also a vector space over ¥g. Let 



F,. Recall that 



F„ 



, iplxm 
9 



be a vector space isomorphism. More 



concretely, ip„i expands an element of ¥qm as a row vector over 
¥q according to some fixed basis for Fg^ over ¥q. Similarly, 



for all n, i, let 
defined by applying entry-wise, i.e.. 



Ttpnxt 
IPqm 



9 



be the isomorphism 



It. 



,(nx£) 



We will remove the superscript from when the dimen- 

sions of the argument are clear from the context. The rank 
distance between vectors X,Y £ Fg„, and the minimum rank 
distance of a block code C C F^™ are defined, respectively, as 
dn{X,Y) ^ dR(0„(X),0„,(r)) and d^iC) ^ dR(</)„(C)). 

The size of a matrix code (or of a block code over Fgm) 
is bounded by the Singleton bound for the rank metric, which 
states that every C C Fg'*™ with minimum rank distance d 
must satisfy 



\C\ < q 



max{n,m}{inin{n,m} — 



(1) 
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Codes that achieve this bound are called maximum-rank- 
distance (MRD) codes and they are known to exist for all 
choices of parameters q, n, m and d < niin{n, m} |9|. 

For the case of an [n, k] linear block code over F^m with 
minimum rank distance d, the Singleton bound ([Hi becomes 



d < min |l, — | (n - fc) + 1. 



(2) 



Note that, for m > n,^ coincides with the classical Singleton 
bound for the Hamming metric. Indeed, when m > n, every 
MRD code is also MDS. 

Note that, differently from classical coding theory, block 
codes are represented in this paper using column vectors. 
However, to avoid confusion, the generator and parity-check 
matrices of a hnear code will always be given in the standard 
orientation. Thus, if G G F^^";" and H e F^""''^''" are, 
respectively, the generator and parity-check matrices of an 



[n,k] Hnear code C C F^'„, then C = {G^ 
{x e F^„. : Hx = 0}. 

We now describe an important family of rank-metric codes 
proposed by Gabidulin |9|. Assume m > n. A Gabidulin code 
is an [n, k] linear code over F^n, defined by the generator 
matrix 



9t 



,0 



9i 

9l 



M 91 



9l- 



(3) 



where the elements go, ... , gn-i G F^m are linearly indepen- 
dent over Fg. It is shown in |9 | that the minimum rank distance 
of a Gabidulin code is d ^ n — k + 1, so the code is MRD. 



C. Linear Network Coding 

A linear network coding system is described as follows. 
Consider a communication network represented by a directed 
multigraph with unit capacity edges, a single source node, 
and multiple destination nodes. Each link in the network 
is assumed to transport, free of errors, a packet consisting 
of TO symbols from the finite field F^ (that is, a vector in 
Fg^™). At every network use, the source node produces n 
packets, represented as the rows of a matrix X G F^^™, 
and transmits evidence about these packets over the network. 
More precisely, for each of its outgoing links, the source node 
transmits a packet that is some F^ -linear combination of the 
rows of X. Each of the remaining nodes behaves similarly, 
computing its outgoing packets as F, -linear combinations of 
its incoming packets. It follows that, for every link e, the 
packet Pe transmitted over e can be expressed (uniquely) as 
a linear combination of the rows of X, say — c^X. The 
coefficient vector Ce G Fj^" is called the (global) coding 
vector of P^. Let £ denote the set of all network links, ordered 
according to some fixed ordering. A (global) coding matrix 



G G F, 



is defined such that, for all e G f , Ce is the row 



of G indexed by e. 

For analytical purposes, a receiver can be specified, without 
loss of generality, by the set of incoming links of the corre- 
sponding destination node. Let denote the collection of all 



receivers. Note that *K is a subset of the powerset of £. For 
7^ G 5H, let Y{TZ) G Fg^'^™ denote the matrix whose rows 
are the packets received by receiver TZ. Then 

Y{n) = CnX. 

The network code is said to be feasible for a receiver TZ 
if rank C-r = n, otherwise it is rank-deficient. The rank 
deficiency of a network code is defined as 

n = n — min rank Gt? 

i.e., it is the maximum column-rank deficiency of C-ji among 
all receivers. Since, in a network coding context, rank defi- 
ciency is analogous to packet loss, a rank deficiency of p may 
also be referred to as p packet erasures. 

The system described above is referred to as an [n x m)q 
linear coded network. We may also call it an {n x to, k)q 
linear coded network if its rank deficiency is p = n — k. 

We can extend the above model to incorporate packet errors. 
More precisely, we assume that each packet transmitted on a 
link may be subject to the addition of an error packet before 
reception by the corresponding node. This is useful to model 
both internal adversaries (malicious nodes that inject erroneous 
packets) as well as external adversaries (unauthorized transmit- 
ters that intentionally create interference with the transmitted 
signals). Similarly as above, this communication model can be 
described more concisely using a matrix framework. Suppose 
the packet transmitted on link j changes from Pj to Pj. Then, 
due to linearity of the network, the packet transmitted on link 
i changes from Pi to P/ = P,; -I- Fi,j{Pj — Pj), for some 
Fi,j G Fg. Let F G Fg^'^'^' be the matrix whose entry 
is Fij. Then the matrix received by receiver TZ is given by 

Y{n) = CnX + FnZ 

where Z G Flf' ^™ is the matrix corresponding to the error 
packets injected on all links. 

Note that the above model is applicable even if the network 
contains cycles and/or delays. 

III. Problem Formulation 

We start by describing a generic wiretap channel. Let S, 
X, y and W be sets. A transmitter wishes to communicate 
a message S* G 5 reliably to a receiver but secretly from an 
eavesdropper There is a channel among the three parties that 
takes X ^ X from the transmitter and delivers F G ^ to 
the receiver and W £ W to the eavesdropper. The channel 
is specified by some distribution P{Y, W\X). The transmitter 
generates X by a stochastic encoding of S, according to some 
distribution P{X\S). Upon reception of Y , the receiver makes 
a guess that the transmitted message is D(y), according to 
some decoding function D : y ^ S. The eavesdropper, on the 
other hand, attempts to obtain information about S based on 
the observation W. Together, the encoder P{X\S) and the 
decoder D(-) specify the coding scheme. Note that S and 
{Y, W) are assumed to be conditionally independent given X. 

A. Communication Requirements 

We now describe the requirements that a coding scheme 
must satisfy, for the purposes of this paper. 
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1 ) Zero-error communication: For all x £ X, let the fan- 
out set 

y.^iv^y- p{y\x)>Q} 

denote the set of all channel outputs that could possibly occur 
when the channel input is x. Similarly, for all s £ S, let 

Xs^{xeX: P{x\s) > 0} 

yis)'^{yey-P{y\s)>o}= U y,. (4) 

The scheme is said to be zero-error if 

D{y) = s, for all y E 3^(3) and all s e 5 (5) 

that is, the receiver can always uniquely determine the mes- 
sag^ We may also refer simply to the encoder P{X\S) and 
consider it zero-error if there exists some decoding function 
D(-) satisfying (|5]). It is easy to see that an encoder is zero- 
error if and only if the sets 3^(s), s E S, are all pairwise 
disjoint. 

Note that condition (|5]) differs from the more usual notion 
of reliability where the probability of decoding error gets arbi- 
trarily close to zero as the number of channel uses increases. 
Here, not only the probability of error must be exactly zero (as 
in zero-error information theory [22] ). but also the channel can 
be used only once. While the constraint on a single channel use 
may seem restrictive, note that in many practical situations, in 
particular in network coding, a single message may already be 
large enough to encompass the whole communication session, 
so that further channel uses are not allowed. 

2) Perfect secrecy: The scheme is said to be perfecfZy iecref 
if absolutely no information is leaked to the eavesdropper, i.e., 

I{S;W)^0. (6) 

Equivalently, the uncertainty about the message is not reduced 
by the eavesdropper's observation. 

Throughout the paper, we will use the word secure as a 
synonym for secret. We will also refer to a perfectly secure 
scheme simply as secure. 

Note that condition (|6]l corresponds to perfect secrecy in the 
Shannon sense |23| and is stronger than the usual notion of 
secrecy in the information-theoretic security literature ll24l . 
where the average information leakage (per channel use) 
gets arbitrarily close to zero as the number of channel uses 
increases. 

B. Wiretap Networks 

We now consider the case where the wiretap channel is 
a linear network coding system potentially subject to errors. 
Consider an {n x m)g linear coded network specified by 
matrices C € Fq and F G Fq and a set of receivers 
$H C V{£), where £ = {1, . . . , \£\} denotes the set of network 
edges. The network is used to communicate a message S E S 

^Our focus on zero-error communication is motivated by the goal of guaran- 
teeing reliability in the presence of adversarial jammers. Since an adversary 
will attempt to disrupt communication whenever such a possibility exists, 
requiring zero-error ("foolproof") communication appropriately captures the 
worst-case nature of the problem. 



to each receiver, which is done by encoding S into an input 
matrix X G F^^™ for transmission over the network. 

As described in Section ITl-CI the output matrix at a receiver 
7^ G $H is given by 

r(7^) = CnX + FnZ 
where Z G F|f ^"^ denotes the matrix of error packets. Let 

2. ^{zGFf><'":P(z|a;)>0} 

denote the set of all possible values for Z when the input 
matrix is x. Then the set of all possible Y{TV) given x is 
obtained as 

y,{n) = {y G Ff y^Cnx + F^z, z e Z.,}. 

Since there are multiple receivers, a coding scheme for such 
a network consists of not only an encoder P{X\S) but also a 
decoding function for each receiver Accordingly, we say that 
the scheme is zero-error if it is zero-error for each individual 
receiver TZ Q D{. 

For the remainder of the paper, we will focus on the case 
where Z has at most t nonzero rows, i.e., 

2. = {;^eFflx": wt(z)<i} 

where wt{Z) denotes the number of nonzero rows of Z. In 
this case, a zero-error scheme is said to be a t-error- p-erasure- 
correcting scheme, where p denotes the rank deficiency of the 
linear coded network. Note that even when t = 0, a 0-error- 
p-erasure-correcting scheme must still be able to guarantee 
reliable (zero-error) communication for all receivers, i.e., it 
must able to make up for the rank deficiency experienced by 
the receivers. 

Suppose there is an eavesdropper who can observe the pack- 
ets transmitted on a subset of links I C The corresponding 
matrix observed by the eavesdropper is given by 

CiX + FiZ. 

Here, we assume the worst case where the eavesdropper has 
access to the matrix Z (possibly because Z was selected by 
the eavesdropper), so we define the eavesdropper observation 
as 

W{I) = CiX. 

Consider the case where the eavesdropper is allowed to arbi- 
trarily choose any I (~ £ with \I\ < p.. Since the eavesdropper 
may choose I in a worst-case or adversarial fashion, this 
situation may be modeled mathematically by assuming that 
there are multiple eavesdroppers, each with one of the allowed 
subsets I. Accordingly, we say that the scheme is secure under 
p observations if it is perfectly secure for all X such that 

m < 

Under this model, p may be viewed as a security parameter, 
while t may be viewed as a reliability parameter. 

Remark: As observed in |6|, the type II wiretap channel of 
17] can be viewed as the special case of a two-node network 
with a single receiver TZ = £, where \£\ — n, t — Q and C is 
an identity matrix. 



5 



C. Universal Schemes 

The specification of a wiretap network requires the specifi- 
cation of C, F and $H, as well as to, /i and t. As a consequence, 
the properties of a coding scheme designed for a network are 
tied to the particular network code used; there is no guarantee 
that the scheme will work well over other networks. 

In this paper, we are interested in universal schemes, i.e., 
schemes that share the same property (i.e., i-error-p-erasure- 
correcting, secure under /i observations) for all possible net- 
work codes. As we shall see, this approach not only has 
practical benefits but also greatly simplifies the theoretical 
analysis. 

Definition 1: A coding scheme for an {n x to)^ linear 
coded network is universally t-error-p-erasure-correcting if 
it is zero-error under the fan-out set 

3^. = {(Ay)eF^><"xF:;><"| y^Ax + Z, 

rank A>n-p, rank Z <t, Z e F^^™} . 

Note that, to incorporate the fact that the matrix C-ji is 
known at receiver TZ, we have to include the matrix A as part 
of the channel output. Contrasted with the models in |T8l, 
the model in Definition [T] may be interpreted as a worst-case 
coherent network coding channel. 

Proposition 1: A universally t-error-p-erasure-correcting 
scheme for an [n xm)q network is t-error-p-erasure-correcting 
for any {n x m, n — p)q network regardless of the network 
code or the set of receivers. 

Proof: We will show that, for any Cn G FJj with 
rank Cn > n - p, any F-ji e Fjf' ""'^l, and any Z G fif' 
with wt(Z) < t, a. receiver that knows C-j^ and Y{TV} = 
CtzX + F-jiZ can successfully decode using a universal de- 
coder. First, since n > rank Cu, there exists, regardless of \TZ\, 
some matrix T G Fg^'^' such that rank TC-jz = rank C-n. 
Now, since rank TC^ > n — p and rank TF-jzZ < t, we 
have that {TCn,TY{n)) G y^. Thus, the receiver can 
successfully decode by applying the universal decoder on 
iA,Y)^{TCTz,TY(n)). m 

Definition 2: Consider an (n x m)q linear coded network 
with input matrix X G F^^™. A coding scheme is universally 
secure under p observations if it is perfectly secure for each 
eavesdropper observation W = BX, for all B G F^^". 

Clearly, a universally secure scheme is always secure re- 
gardless of the network code. 

Focusing on universal schemes immediately offers the ana- 
lytical advantage of not having to specify the network topology 
and the network code, except for the parameters n, m, q, p. 
These parameters provide an interface between the problems 
of network code design and end-to-end code design, which 
then become completely independent. 

Of course, the rates achieved by a universal scheme could 
potentially be smaller than those of non-universal schemes; 
equivalently, to achieve an optimal rate, a universal scheme 
may impose certain constraints on the interface parameters. 
Our goal in this paper is to determine exactly what rates 



are achievable by universal schemes, as well as to construct 
computationally efficient schemes that achieve these rates. 

TV. Universal Error Correction 

We start by considering the case where /i = 0, i.e., there is 
no eavesdropper (or security is not a concern). 

Below we show a result that, while similar to the results 
in 1 18 1, is not available there, as model considered here is 
slightly different. 

Theorem 2: Consider a deterministic encoder X = E(S'), 
where E: 5 ^- A", and let C = {E(s), s G S}. Then the 
encoder is universally i-error-p-erasure-correcting if and only 
if dn{C) >2t + p. 

Proof: The correction guarantee has been proved in flSl . 
We now prove the converse. Suppose d^{C) = d < 2t + p and 
let xi,X2 G C be such that xi ^ X2 and rank (2:2 — xi) = d. 
Let A G F^'^" be a matrix whose right null space is a subspace 
of {x2 — xi) with dimension min{p, d]. Let E = A(x2 — xi). 
Then rank A > n — p and rank E = d— min{p, d} = maxjd— 
p, 0} < 2t. Let Ei,E2 € F^^™ be such that E = Ei - E2, 
rank Ei < t, and rank E2 < t. Then y — Axi + Ei = Ax2 + 
E2, and therefore {A,y) G H 3^2:2. Since the encoder is 
deterministic, xi and X2 must correspond to distinct messages, 
which implies that the scheme is not zero-error ■ 

Theorem |2] shows that, in the case of a deterministic 
encoder, the correction capability of a scheme is characterized 
precisely by the minimum rank distance of the image of 
the encoder. Thus, the problem can be solved by (and only 
by) a rank-metric code with sufficiently large minimum rank 
distance. While Theorem|2]is concerned only with the encoder, 
computationally efficient decoders (for a Gabidulin code) have 
been proposed in |fT3]| (see also ||20l , ||25l ) for all values of p 
and t. 

The theorem also shows a tradeoff between errors and 
erasures that is analogous to that of classical coding theory; 
namely, an error can be traded for two erasures, and vice- 
versa, with the "exchange currency" being the minimum rank 
distance of the code. 

It is important to note that the characterization in Theo- 
rem |2] is valid only for deterministic encoding. In the case of 
stochastic encoding, it is conceivable that the same message 
s could give rise to two distinct codewords xi and X2 with 
small rank distance (so that they would be indistinguishable 
at the receiver), yet the message s itself could be successfully 
decoded. Thus, while the direct part of the theorem still 
holds (as long as H{X\S) = 0), the converse does not. 
Surprisingly, however, the same interplay between errors and 
erasures that exists for a deterministic encoder (namely, one 
error is equivalent to two erasures) still remains for a stochastic 
encoder, as shown in the next result. 

Theorem 3: Consider an {n x m), linear coded network. 
An encoder that is universally t-error-p-erasure-correcting is 
also universally t'-error-p'-erasure-correcting for all t',p' > 
such that 2t' + p' < 2t + p. 

Proof: See the Appendix. ■ 
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The result of Theorem [3] will be crucially used in Sec- 
tion IVI-BI to prove a converse theorem for networks subject 
to errors and observations. 

A consequence of Theorem [3] is that we could safely 
restrict attention to encoders that are universally p-erasure- 
correcting (that is, universally 0-error-p-erasure-correcting), 
since erasure-correction capability can be naturally traded for 
error-correction capability. However, as before, note that the 
result of Theorem [3] applies only to the encoder, i.e., it is in 
principle not trivial to obtain a decoder for one scheme given 
a decoder for the other 

V. Perfect Secrecy for Noiseless Networks 

In this section we treat the case of an (n x m, n) linear 
coded network subject to /i observations but no errors — so that 
the channel from the transmitter to each receiver is noiseless. 
Thus, each receiver can correctly recover the channel input X. 

From now on, unless otherwise mentioned, we assume that 
the message space is 5 = F^^™, so that the message is a 
k X m matrix. The rows of S, denoted Si,. . . ,Sk e Fj'*™, 
may then be viewed as packets. All logarithms are taken to 
the base q"\ so that information is measured in g™-ary units, 
or packets. 

A. Preliminaries 

We start by reviewing the basic idea of coset coding, which 
was proposed by Ozarow and Wyner for the special case of 
the type II wiretap channel |7J, and later applied to the general 
case by Rouayheb and Soljanin [jSJ. The scheme requires each 
packet to be an element of a finite field, i.e., F;^^™ must be a 
field. In the following, we assume that 771 = 1. 

Let C be an [n, n ~ k] linear code over Fg with parity- 
check matrix H G F^'^". The transmitter encodes S into X 
by choosing uniformly at random some X e F^' such that S = 
HX. In other words, each message is viewed as a syndrome 
specifying a coset of C, and the transmitted word is randomly 
chosen among the elements of that coset. Upon reception of 
X, decoding is performed by simply computing the syndrome 
S = HX. Thus, the scheme is always zero-error 

For the special case of a type II wiretap channel, it can be 
shown IT] that the scheme is perfectly secure if C is an MDS 
code and < n — /x. In general, however, this may not be 
sufficient. The following result is shown in |6 |. 

Theorem 4 ( /i6/j.- In the coset coding scheme described 
above, assume that the eavesdropper observes W = BX, 
where B e F^^". If I{S;W) = 0, then H{S) < n ~ n. 
Moreover, if H{S) — k ~ n — ^, then 



IiS;W) = 



{H) n {B) = 0. 



(7) 



The above result can be used to design a network code 
based on a given parity-check matrix H |6|. More precisely, 
the network code (i.e., the global coding matrix C) must be 
constructed in such a way that, for all 2 with \I\ < ^i, the 
matrix B = Cj satisfies ^ for the given H. Note that, 
since there is always some B violating (|7]l, the scheme is 
not universal. 



Although the case 771 > 1 is not considered in Q, it is easy 
to see that any scheme for 777 = 1 can immediately be extended 
to 777 > 1 by applying the scheme m times in a component- 
wise fashion. Encoding is performed identically, by randomly 
choosing X such that S — HX (where S and X are now 
matrices), and the same holds for the decoding. Clearly, the 
resulting scheme retains exactly the same properties of the 
original one (in particular, non-universality). 

B. A Universal Scheme 

As we have seen above, in order to directly apply Ozarow- 
Wyner's coset coding scheme, packets must be elements of a 
finite field, and one way to achieve this is to assume m = \. 
Another approach, the one we propose in this paper, is to make 
use of the vector space isomorphism Fj'*™ = F^m. In other 
words, we regard packets as elements of a finite field F,™ ; this 
is still compatible with Fg-linear network coding since F^™ is 
a vector space over Fg. 

Theorem |4] holds unchanged, provided we replace ¥q with 
Fqm (note that we can regard i? G F^'*" as a matrix over F^™, 
since F^ C F^m). However, all the entries of B still lie in the 
subfieldFq. Since F^ C F,™, we can regard B e F^^" as 
a matrix over F^m. After replacing F^ with F^m, Theorem |4] 
follows unchanged. 

Under this interpretation, the variables S G F^,„ , X e F^™ , 
W G are now viewed as column vectors over F^™. For 
the purposes of Theorem |4] we can regard B G F{^^" as a 
matrix over F^m (since ¥q C F^™). Then the theorem follows 
unchanged after replacing F^ with F^m . Note, however, that all 
the entries of B still lie in the subfield Fg. As the number of 
possibilities for H G F^'m" is now much larger as compared to 
B (for ni > 1), it is conceivable that some H exists satisfying 
(|7|i for all B. This can be seen as the crucial ingredient that 
enables universal security. A suitable choice of H is given in 
the next theorem. 

Theorem 5: Let C be an [n, n — k] linear code over F^™ 
with parity-check matrix H G F^^". If c?r(C) = A: + 1 and 
1.1 < n — k, then 



rank 



= rank H + rank B, for all B G F^;""". (8) 



Conversely, if ^ — n — k, then ^ holds only if dji{C) ~ k+1. 
Proof: Suppose that, for some fj, < n — k, there exists 



some matrix B G F^^" such that 



rank 



< rank H + rank B. 



Let r = rank S, let T G F^^^ be some full-rank matrix such 



that rank TB = r, and let D e¥q 
matrix such that the matrix 
'TB 



(n — fc — r) X n 



be some full-rank 



B' 



D 



fz ]p(n-'c)xn 
^ 9 



is full-rank. We have that 



rank 



'H' 


< rank 


H' 


B' 


B 





rank D 

< rank H + rank B + rank D ~ n. 
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Let 



M 



H 
B' 



Since rank M < n, there must exist some nonzero x G F^™ 
such that Mx = 0. But this impHes that Hx = 0, i.e., x E C, 
and B'x = 0, i.e., rank (j>m{x) < k. Thus, dji{C) < k. 

For the converse statement, suppose that dR,(C) < k. Then 
there exists some nonzero x E C such that rank (j)m{x) < k. 
This impHes that there exists some full-rank B G Fg" 
such that = 0. Note also that Hx = 0. Thus, 

'H' 

B 



rank 



< n — rank H + rank B. 



In order to state our main result in full generality, we first 
present a generalization of Theorem |4] 

Lemma 6: Let H G F^^";" and B e F^™". Let X e F^„, 
5' = HX and = BX be random variables. Let S — {Hx : 
a; e F^™ } and, for all s G 5, let Xs ^ {x E F^'„ : s = Hx). 

1) If X is uniform over given S — s, then 



1(5'; W^) < rank H + rank B - rank 
2) If 5 is uniform over S, then 

/(S'; W) > rank + rank B - rank 



Proof: See the Appendix. ■ 

We can now state the main result of this section. 

Theorem 7: Consider an (n x to, n)q linear coded network. 
Let C be an [n, n — fc] linear code over F^m with parity- 
check matrix H e F^™". A coset coding scheme based on 
H is universally secure under /i observations \i k < n — [i, 
m > n and C is MRD. Conversely, in the case of a uniformly 
distributed message, the scheme is universally secure under 
n — k observations only if C is an MRD code with m > n. 

Proof: The achievability follows from item 1) of 
Lemma|6] Theorem|5] and the definition of an MRD code. The 
partial converse follows from item 2) of Lemma|6] Theorem|5] 
and the Singleton bound (|2]i. ■ 

The following example illustrates the constructive part of 
Theorem |2l 



Example 1: Let q 
n — fi = 1. Let ¥qm = 



-2, m = n = 3, fi = 2 and k 
F23 be generated by a root of p{x) 



a; + a; + 1, which we denote by a. According to |9|, one 
possible [n, jj] linear MRD code over F^m has parity-check 
matrix H = [l a a^] . 

To form X = [Xi X2 
message S G F^m , we can choose X2 , X^ G F^™ uniformly 
at random and set Xi to satisfy 

S = HX = Xi+ aX2 



given a source 



a^Xs. 



Note that X can be transmitted over any {n x m, n)q linear 
coded network. The specific network code used is irrelevant 
as long as each destination node is able to recover X. 



Now, suppose that the eavesdropper intercepts W = BX, 
where 

1 1 
Oil' 



B 



Then 



W = B 



X3 



s 



aX2 4 
X2 
X3 



a'X. 



1 




'a 1 + a^' 




'X2 





s + 


1 1 







This is a linear system with 3 variables and 2 equations over 
¥qm. Note that, given S, there is exactly one solution for 
{X2,X3) for each value of W. Thus, Pr{W\S) = 1/8^, 
VS', W, from which follows that S and W are independent. 



C. Encoder Structure 

In this subsection, we develop a more concrete encoder 
structure for the coset coding scheme proposed above. 



Let e F 



kxn 



. qm be the parity-check matrix of an [n, n ~ k] 
linear code over F, 



such that 



Let T e F'^™" be an invertible matrix 



H 
Hi 



for some Hi e F^™ . Consider the following encoder 
Given a message S G F^™, the encoder chooses V G F^m 
uniformly at random and independently from S, and produces 
X G F^^m by computing 



X = T 



Proposition 8: The encoder described above is universally 
secure under fi < n — k observations if the code defined by 
H is MRD with m > n. 

Proof: Note that S = HX and V = HiX. Then 
Theorem [7] holds if we can prove that X is uniform given 
S, i.e., if H{X\S) = n-fc. By expanding H{V,X\S) in two 
ways, we have 

H{X\S) ^ H{V\S) + H{X\V, S) - H{V\X, S) 
^H{V\S) + H{X\V,S) 
= HiV\S) 
= H(V) 
= n — k. 



Note that this equivalence between the two encoders has 
been previously shown in 161 for the case of m = 1 with 
non-universal security (i.e., when H satisfies the conditions 
of Theorem |4] for a specific network). 

We now give a security condition based directly on the 
matrix T rather than its inverse. 

Proposition 9: The encoder described above is universally 
secure under fi < n ~- k observations if the last n — k rows 



g 



of form a generator matrix of an [n,n — k] linear MRD 



code over 



with m > n. 



Proof: Let G £ F^""''^''" 



and Gi £ F^'^" be such that 
G 



Then 

/ 0' 
/ 



H 

Hi 



[Gf G^ 



iJG^T -ffG^ 
-ff 1 G^ -ff 1 G"'^ 



Thus, i/G^ = 0. Since both G and H are full-rank, it 
follows that G and iJ are generator and parity-check matrices, 
respectively, for exactly the same code. ■ 



As Theorem \T0\ shows, if m < n, universal schemes 
do not exist. For m > n, not only do universal schemes 
exist, but also they achieve exactly the same rates as the 
best non-universal schemes. It should be noted, however, that 
these results assume the requirements of perfect secrecy and 
zero-error communication. If these conditions are relaxed to 
asymptotically perfect secrecy and vanishing error probability 
(over multiple channel uses), then it is possible to construct 
universal schemes even for m = 1 [26 1 . 

VI. Perfect Secrecy for Noisy Networks 

In this section, we treat the general case of an {nxm, n—p)q 
linear coded network subject to t errors and /j, observations. 



D. Converse Results 

We now prove that our scheme is optimal with respect to 
packet length, i.e., the scheme minimizes the required packet 
length among all universal schemes. For generality, in the 
following theorem we revert to the notation of Section |lll] 
(with matrices over the base field Fg). 

Theorem 10: Consider a noiseless {n x m, n)q linear coded 
network. Assume that the source message has entropy of k 
packets. There exists a zero-error scheme that is universally 
secure under fj, = n — k observations only if m > n. 

Proof: By assumption of zero-error communication (and 
of a noiseless network), there is a function /: F^^™ — s> S 
such that S = f{X). Thus, we may write ^ {x e F'^'^™ : 
f{x) = s}. Now, 



= H{S\X, W)+I{S;X, W) 

= I{S;X,W) 

= I{S;W)+I{S;X\W) 

= I{S;X\W) 

= H{X\W) - H{X\S, W) 

< H{X\W) 

< n — rank B. 



(9) 

(10) 

(11) 
(12) 



where (|9]l follows since S* is a function of X and (fTOl l follows 
since I{S; W) = 0. Since (fT2] i holds with equality for all 
full-rank B e F^^", we must have H{X\S,W) = and 
H{X\W) — n — jj, for all such B. By the chain rule of entropy, 
it is not hard to see that the latter condition implies that X is 
uniform (for instance, by choosing each _B as a submatrix of an 
identity matrix, as in the wiretap channel II). Thus, H{X) = 
n. Since H[X) = H{X, S) = H{S) + H{X\S), we have that 
H{X\S) > n — k = fi. Thus, there must be some s* G 5 such 
that H{X\S = s*) > n, which implies that > q"^. 

On the other hand, the fact that H{X\S, W) = Q for all full- 
rank B implies that X must be uniquely determined given 
W — BX and the indication that X £ Xs- From Theorem |5] 
this imphes that each Xs must be a rank-metric code with 
dniXs) > n — ^ + 1. In particular, dY{{Xs*) > n — + From 
the Singleton bound ([T]i, we see that this can only happen if 
m > n. ■ 



A. A Universal Scheme 

Consider the encoder described on Section IV-CI Assume 



that the input variable for the encoder is S' S F^ 
than S). Given S', the encoder produces 

'S'' 
V 



(rather 



X 



where V G F|j,„ is chosen uniformly at random and inde- 
pendently from S', and T e F^m" is an invertible matrix. 
Suppose that m > n, and let Gscc G Fj^m" denote the last 
/I rows of T^. It follows from Proposition |9] that, if Ggec is 
a generator matrix for an [n,/i] linear MRD code over F^m, 
then the scheme is universally secure under fi observations, 
regardless of the distribution of S'. 
Suppose we choose 



S' 



where S € F^™ is the "true" message, and k < n — ji. Then 
the scheme remains universally secure under ^ observations. 
On the other hand, the redundancy in S' may be useful to 
provide error correction. 

Let us define an auxiliary variable 



U 



Then the encoder effectively maps U into X via the determin- 
istic mapping 

X = G^U 



where G G F, 



(fe+ji) xn 



denotes the last k + fi rows of T^. In 
particular, the set of all possible X is given by 

C = {G^u,u £¥[':+'''>}. 

Then, it follows from Theorem |2] that, when X is transmitted 
over an {nxm, n—p)q network subject to t errors, the receiver 
can uniquely determine U (and therefore S) if dR(C) > 2t + p. 
This condition is satisfied if C is an [n, k + p] linear MRD 
code over Fgm and k + fi < n — {2t + p). 

The above analysis proves the following result. 

Theorem 11: Consider an {n x m)q linear coded network. 
In the encoder described above, assume that G £ 



-,(fc+p) xri 



is the generator matrix of an [a, k + p] linear MRD code 
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over ¥q,ii such that the last /i rows of G form a generator 
matrix of an [n, ^] linear MRD code over F^m. The scheme is 
universally t-error-p-erasure-correcting and universally secure 
under /i observations if m > n and fc < n — 2i — p — /i. 

Whenever an error control encoder satisfies the secrecy 
conditions of TheoremfTT] we will say it is secrecy-compatible . 

As mentioned in Section |IV] decoding can be performed 
using the methods in |fT3]| . ||20| if C is a Gabidulin code. In 
this case, if G is given in the form (O, then it is easy to see 
that any /i consecutive rows of G (in particular the last ones) 
indeed form a generator matrix of an MRD sub-code. 

B. Converse Results 

In this section, we prove that our proposed scheme is 
optimal, both in the sense of achieving the maximum possible 
rate and in the sense of requiring the minimum possible packet 
length among all schemes that achieve this maximum rate. As 
in Theorem [TO] we use the generic notation of Section |II] 

Theorem 12: Consider an {n x m)q linear coded network. 
Assume that the source message has entropy of k packets. 
There exists a scheme that is universally t-error-p-erasure- 
correcting and universally secure under ^ observations only 
if k < n — 2t ~ p ~ ji. Moreover, this maximum rate can be 
attained only if m > n. 

Proof: Let n' = n - 2t - p. Let B £ F^^" be a full- 
rank matrix and let A G F^ ^" be a full-rank matrix such 
that B = PA for some (necessarily full-rank) P e F^^" . 
Let Ya = AX and Wb = BX = PYa- If the encoder is 
universally t-error-p-erasure-correcting then, by Theorem |3] it 
is also universally (2t + p)-erasure-correcting. Thus, there is a 
function /a : F^'^™ S such that S = /aC^a)- In particular, 
there is also a function /: F^^™ S such that S = ,f{X). 
Thus, we may write Xg = {x € jjrnxm . j^^;) — §}. Now, 

k = H{S) 
= H{S\Ya, Wb) + I{S; Ya, Wb) 
= I{S-Ya,Wb) (13) 
= I{S:Wb)+I{S;Ya\Wb) 
^I{S-Ya\Wb) (14) 
= H{Ya\Wb) - H{Ya\S,Wb) 
<H{Ya\Wb) (15) 
< n' - rank P = n' - p (16) 

where (fT3T l follows since 5 is a function of Ya and (fT4l i follows 
since I{S\Wb) = 0. This proves the first statement. Now 
consider the second statement. Since ( fT6] l holds with equality, 
we must have H{Ya\S, Wb) = and H{Ya\Wb) = n' - p. 
Note that these conditions hold for all full-rank B and all 
A £ Ab, where 

AB = {Ae F^'^" ; rank A = n\ {B) C (A)}. 

This implies that H{{Ya : A e Ab}\S,Wb) = 0_ and 
therefore H(Yb\S,Wb) = 0, where Yb = AbX and Ab is 
the matrix consisting of the vertical stacking of all matrices in 
Ab- It is not hard to see that, as long as n' > p, rank Ab = n. 



(In fact, Ab contains every nonzero vector of Fj^" as one of 
its rows.) It follows that H{X\S, Wb) = 0, for all full-rank B. 
Thus, X must be uniquely determined given Wb — BX and 
the indication that X e A5. From Theorem|2] this implies that 
each Xs must be a rank-metric code with dB.{Xs) > n — p + 1. 

On the other hand, we have seen that, for each full-rank 
A e F^'^", it holds that H{Ya\Wb) = n' - p for all 
full-rank P e F^^"', where Wb = PYa and B = PA. 
By the chain rule of entropy, it is not hard to see that this 
implies that Ya is uniform (for instance, by choosing some 
P's that are submatrices of an identity matrix, as in the 
wiretap channel II). Thus, H{Ya) ~ n', which implies that 
H{X) > n'. Since H{X) = H{X,S) = H{S) + H{X\S), 
we have that H{X\S) > n' — fc = p. Thus, there must be 
some s G S such that H{X\S — s) > fi, which implies that 
\Xs \ > g™''. Together with the fact that dn{Xs) > n - p + 1, 
we can see, from the Singleton bound ([TJ, that this can only 
happen if m > n. ■ 

VII. Practical Considerations 

A. Packet Length 

The schemes proposed in this paper all require that the 
packet length m be at least as large as the batch size 
(i.e., the number of transmitted packets) n. This is the only 
constraint imposed by universal schemes — in sharp contrast 
with previous approaches that require the network code to be 
known and field size q to be significantly large. In practice, 
the requirement on the packet length is usually easily satisfied: 
typical random network coding implementations use m ^ n, 
for instance, m > 1024 (with q = 256) while n < 256 fTT^, 

B. Layered Structure 

The fact that a single encoder/decoder pair simultaneously 
provides both secrecy and error control offers a great deal 
of simplicity and flexibility to the proposed scheme. A block 
diagram of the scheme is illustrated in Fig. [T] We can view 
the system as consisting of three layers. The first layer 
accepts a message of k packets and performs secrecy coding 
simply by concatenating the message with p random packets. 
The second layer accepts the secrecy-encoded message and 
applies secrecy-compatible error control coding. (For clarity, 
the isomorphism between F^™ and F^^™ is shown explicitly 
in Fig. [T]) The resulting codeword, consisting of n packets, 
is then delivered to the third layer, which corresponds to the 
linear coded network. The interface parameters are k, p, n and 
TO, where n — k — fi determines the amount of error control 
(note that d — n — fc — p + lis the minimum rank distance of 
the code). The matrix T e F^^" in Fig. [T] is such that, for all 
i — 1, . . . ,n, the last i rows of form a generator matrix of 
an [n,i] linear MRD code over F^m. Provided that the error 
control decoder associated with T is flexible to handle any 
amount of error control given as an input parameter (this is 
possible for the decoders in ifTSl . ||20| ). we obtain a scheme 
that is "universal" in yet another sense: the same scheme can 
be used regardless of the parameters p, t and p (assuming 
n > p + 2t + p). As we can see from Fig. [T] we can easily 
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U e¥, 



(k-{-fl) X771 



error control 
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error control 
decoder 



U : 



} n—k — ^ 
} fc+M 



X = ^„(T^-i(C/)) 



71, 771, q 



linear 
coded 
network 



Y = AX + Z 



W = BX 



eavesdropper 



Fig. 1 . Layer structure of the proposed coding scheme, incorporating both secrecy and reliability. The source message is guaranteed to be secret from the 
eavesdropper provided rank B < fi. The destination is guaranteed to reliably recover the message provided that rank Z < (rank A — k — /')/2. 



trade among rate, secrecy and error control by simply adjusting 
the interface parameters k and ii. 

C. Cartesian Products of Codes 

According to the structure described in Sections IV-CI 
and IVI-AI encoding and decoding of a source message are 
performed via matrix-by-vector multiplication with arithmetic 
over an extension field. Specifically, encoding and decoding 
can be performed with, respectively, 0{k'n) and 0{n?) arith- 
metic operations in F^™ , where k' ~ k + /i. For moderate to 
large m, these operations may turn out to be quite expensive 
since, in practice, a multiplication in F^m costs about rri^ 
operations in F^. 

A convenient way to reduce this complexity is to use 
Cartesian products of MRD codes. Assume that m = rn, 
for some r. We construct a code in F^^""" via the isomor- 
phism rather than ^i"''^^ as before. Let C C F^^""^ 
denote the r-fold Cartesian product of a code C C F^,i with 
itself. Suppose C is defined by the generator and parity-check 
matrices G e F^C^" and H e F^':;"'^')^", i.e., C = {G^u : 
u G Fjl} = {x e : Hx = 0}. Then it follows that 
C = {G^u : u e Fjl^''} = {x e F;'„^'' : Hx = 0}. It 
is also clear that (iR((/)„(C'')) — (iR,(C). Thus, all the results 
and methods of this paper can be equally applied to C . In 
particular, decoding is performed by applying a decoder for 
C column-wise on the received matrix X £ V^^"^ . As a con- 
sequence, the encoding and decoding complexity are reduced 
to, respectively, Oik'nr) ~ 0{k'm) and 0{n^r) — 0{nm) 
operations in the smaller field Fg^. 

D. Using Low-Complexity Normal Bases 

The encoding and decoding complexity can be reduced even 
further by using a normal basis to perform extension field 
arithmetic. 

Let a £ Fg>i. If the elements a, a'' , . . . , a* are linearly 
independent over Fg, then {a'^ , . . . , a'? } is called a normal 
basis for Fq.i over Fg, and a is called a normal element. 
Suppose the matrix T e Fg„^" is given by T = [T^] where 
T,^j = a[*"i+-'~il, for 1 < i,i < n. Then T not only 



is invertible, but also satisfies both requirements of secrecy 
and error control, as any contiguous subset of rows of T is 
a generator matrix of an MRD code 1)9]. Now, if the basis 
generated by a is also used to implement the arithmetic over 
Fgn, then significant complexity savings can be obtained, 
as described in ll20l . ||251 . Specifically, suppose that q is a 
power of 2 and that a is a self-dual, optimal normal element 
constructed via Gauss periods |28|, [29] . Then decoding can 
be performed with approximately 5(n — k')^nm + ^n^m 
multiplications and 10(7i — k'^nm + ^Ti?m additions in Fg, 
while encoding can be performed with just 2k'nm additions 
(XORs) in Fg ||20| . Note that, if error control is not used 
(i.e., k' — n), then the decoding complexity is smaller than 
performing Gaussian elimination on the received matrix, and 
the encoding complexity is even much smaller. 

Although normal bases exist over any finite field, normal 
bases satisfying the above requirements exist only for certain 
choices of the extension degree n. In particular, for q — 256, 
the choices of n are limited to tz = 3, 5, 9, 11, 23, 29, 33, 
35, 39, 41, 51, 53, 65, 69, 81, 83, 89, 95, 99, . . . ES. As can 
be seen, there is still a reasonable degree of flexibility that 
should be suitable for most applications. On the other hand, 
if low-complexity (though not necessarily optimal) normal 
bases are used (while retaining the properties of self-duality 
and Gaussianity), then an even greater degree of flexibility is 
possible (although with a slightly increased complexity). 

E. Extension to Noncoherent Network Coding 

The scheme described in the paper is suitable for co- 
herent network coding and is indeed optimal. In the case 
of noncoherent (random) network coding, the scheme can 
be adapted by including appropriate packet headers. More 
precisely, the transmission matrix should be [/ X], where 
X is the transmission matrix of the original scheme. Clearly, 
including packet headers does not affect security (since the 
only information carried by the headers is the coding vectors, 
which are already assumed to be known by the eavesdropper), 
but allows the scheme to be decoded when the transfer matrix 
A is unknown. It is shown in |[T3| that such adaptation 
preserves the error-correcting capability of the code, so the 
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universally i-error-p-erasure-correcting property is maintained. 
Although the rate achieved in this case is no longer optimal, 
it is very close to optimal for all practical packet lengths lfT3l . 

VIII. Conclusion 

In this paper, we have addressed the problem of achieving 
secure and reliable communication over a linear coded network 
subject to wiretapping and also possibly to jamming. We 
have shown that universal schemes exist if the packet length 
is sufficiently large. In this case, no coordination is needed 
between the designs of the outer code and of the underlying 
network code; in particular, the field size for the network code 
may be chosen as the minimum required for feasibility. We 
have also shown that our proposed scheme is optimal in the 
sense of achieving the maximum possible rate and requiring 
the minimum possible packet length among all schemes that 
achieve this maximum rate. The proposed scheme is flexible 
in that it defines two layers above the network coding layer: 
a secrecy layer and a (secrecy-compatible) error control layer 
The amount of information rate, secrecy protection and error 
control provided by the scheme can be easily traded off against 
each other simply by adjusting the interface parameters. 

The main tool that we use in this paper is the theory of 
rank-metric codes. The proposed scheme borrows from our 
previous work on error control for network coding (without 
secrecy constraints) and admits very efficient encoding and 
decoding. 

For a network that transports n packets with rank defi- 
ciency p, and is under the threat of an adversary who can 
eavesdrop on fi links and inject t error packets, we have shown 
that the maximum achievable rate is at most n— p—2t— ji. This 
result assumes perfect secrecy and (one-shot) zero-error com- 
munication. If the latter requirement is relaxed to vanishingly 
small error probability, then it is possible to achieve a higher 
rate of n — p — t — p, provided that both the field size and the 
packet length grow to infinity. A natural, yet unsolved question 
is how to achieve this higher rate without requiring the field 
size to grow. Such a solution, if one exists, would reassure 
the "separation principle" advocated by this paper: that basic 
network coding on the on hand, and secrecy/error control 
protection on the other hand, can be treated as belonging to 
completely independent layers. 

Another possible avenue for future work might be to gener- 
alize the results of this paper beyond multicast problems. An 
initial step in this direction has been given in f30|. 
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Appendix 

Proof of Theorem \3}i Let and y'^ denote the fan- 
out sets of Definition [T] for (p, t) and (p', <'), respectively. We 
have to prove that \f si^S2 ^ S are distinct messages such 
that {A' ,y') e y'^.^ fl ^^^^ for some xi G Xsi and X2 G X^.,, 
then the sets 3^(<;), s e iS, (given by (|4|) are not all pairwise 
disjoint. 

Write y' = A'xi+E[ ^ A'x2+E2, where rank A' > n-p', 
rank E[ < t and rank E'^ < t' . Let E' = E[- E'^ = A'{x2 - 
xi), and note that rank E' < 2t'. 

First, consider the case where t'-t = A > 0. Let T £ F^'^" 
be a matrix whose right null space is a subspace of (£") with 
dimension min{2A, rank E'}. Let = TE' and A TA'. 
Then rank T < n - 2A, 

rank = rank E' - min{2A, rank E'} 
< max{2t' - 2A, 0} < 2t 



To prove the second statement, first note that 



and 



rank A > rank T + rank A' ~ n 

> n — 2A + n — p' — n>n — p. 



Let Ei,E2 e F^^™ 



be such that E = Ei - E2, rank Ei < t, 
rank < t. Then y — Axi + Ei = Ax2 + E2, and therefore 

Now, consider the case where p' — p = 2A > 0. Let 
R e F;^'^" wd A = A' + R be such that rank R ^ 2A and 
rank A = rank A' + rank R. Then rank A > n - p' + 2A ^ 
n - p. Let E ^ E' + R{x2 - xi) = A{x2 - xi). Note that 
rank E < rank E' + rank i? < 2t' -f 2A < 2i. Once again, let 
Ei,E2e F'^'^™ be such that E = Ei - E2, rank Ei < t, and 
rank i?2 < t. Then y = Axi + Ei = Ax2 + E2, and therefore 

{A,y)ey,,ny,,cy^,^-)nyf^s^-). 

The case where both t' < t and p' < p follows immediately 
from Definition [1] ■ 

Proof of Lemma |6} To prove the first statement, let W = 
{Bx : X € F" } and 



X e F" 



Observe that 

H{W) < log,„ 
H{X\S) ^\og^„ 

H{X\S,W) <\og^. 



\W\ = rank B 
\Xs\ = n — rank H 



\X: 



s,w 



— n — rank 



By expanding I{S, X; W) and noting that is a function of 
X, we have 

1(3; W) = I{S, X; W) - I{X; W\S) 

= H{W) - H{X\S) + H{X\S, W) 

'H 



< rank B + rank H — rank 



B 



d\m{{H) n (B)) = rank 



rank H — rank B 



where (•} denotes the row space of a matrix. Let t = 
dim {{H)n{B)). Then there exist full-rank matrices Ti G F*^.^ 
and T2 e F*^.'' such that TiB = T2H and rank T2H = t. This 
implies that 

TiW = TiBX = T2HX = T2S. 
Since 5" is uniform, we have that I{S; W) > H(T2S) =t. m 



